1. Technical Field
This invention relates to a content distribution system for encrypting digital contents such as movies and music works and distributing the encrypted contents to a plurality of output apparatuses, in particular to a technology of assigning a unique key to be used for decrypting an encrypted content to each output apparatus so that, even if a key assigned to an output apparatus is leaked, the output apparatus which leaked the key can be traced.
2. Background Art
With the proliferation of high-speed communication paths, notably, Asymmetrical Digital Subscriber Line (ADSL), optical fibers and the like, services which provide digitalized contents such as music and video via a communication path have been actively introduced. With the introduction of such services, there has been a need for copyright protection methods for preventing unauthorized use of contents such as unauthorized duplication. In general, an encryption technology is used for the copyright protection method for preventing the unauthorized use of contents. That is, a digital content is encrypted with a content encryption key and distributed through a communication path, and only an output apparatus having a content decryption key corresponding to the content encryption key can decrypt the encrypted content so as to reproduce the original digital content.
By the way, in general, a content decryption key assigned to each output apparatus is secretly stored. However, there is a possibility that an attacker may obtain a content decryption key commonly assigned to all output apparatuses. When the content decryption key assigned to a terminal is once leaked, there is a threat that an attacker may create an unauthorized terminal which decrypts a digital content using the content decryption key of which leakage cannot be traced, and use the content in an unauthorized manner. As a means for preventing such unauthorized use of contents, a system which can trace an output apparatus which is the origin of leakage by assigning a key individually for each output apparatus is suggested. In a broadcasting station type content distribution in which the same data is distributed to all the output apparatuses, as a method for preventing unauthorized use of contents, there is, for example, a content distribution system disclosed in the non patent literature 1 (See “Dejitaru Hosokyoku Sisutemu no Shikumi (Mechanism of Digital Broadcasting Station System)”, edited by The Institute of Image Information and Television Engineers, Ohm Publisher).
FIG. 35 shows a conventional content distribution system disclosed in the non patent literature 1. In FIG. 35, a communication path 90 is a communication path connecting a key issuing center 91, a server 92, and a plurality of output apparatuses 93a to 93n (which are to be described later) to each other, and is embodied in a network such as the Internet. The key issuing center 91 creates a content encryption key CEK and a content decryption key CDK for encrypting and decrypting a content CNT, and distributes the content encryption key CEK to the server 92 and the content decryption key CDK, as key update information UPDKEY=Enc (IKa, CDK)∥Enc (IKb, CDK∥ . . . Enc (IKn, CDK), to a plurality of output apparatuses 93a to 93n. Here, Enc (K, P) is a cipher text obtained by encrypting a plaintext P using an encryption key K. IKa . . . IKn are individual keys which are previously given to respective pairs of the key issuing center 91 and the plurality of output apparatuses 93a to 93n. For example, the key issuing center 91 previously shares the individual key IKa with the output apparatus 93a, the individual key IKb with the output apparatus 93b, and the individual key IKn with the output apparatus 93n. The server 92 encrypts the content CNT based on the content encryption key CEK, distributes the encrypted content ENCCNT to the plurality of output apparatuses 93a to 93n. The plurality of output apparatuses 93a to 93n decrypt the encrypted content ENCCNT received based on the key update information UPDKEY, and output the decrypted content DECCNT to the outside. Here, the content encryption key CEK and the content decryption key CDK have the values common to all the output apparatuses 93a to 93n. Therefore, an attacker who obtained an individual key may create an unauthorized output apparatus having the embedded content decryption key CDK of which leakage cannot be traced. However, if the key issuing center 91 updates the content encryption key CEK and the content decryption key CDK to the new values, it is possible to revoke such an unauthorized output apparatus having the content decryption key CDK embedded therein so that it cannot use contents in the future.
Here, the operations of respective constituents are explained in more detail. First, a method for sharing a content decryption key CDK among all the output apparatuses 93a to 93n is explained. The key issuing center 91 generates a content encryption key CEK and a content decryption key CDK, and transmits the content encryption key CEK to the server 92. Next, it encrypts the content decryption key CDK based on the individual keys IKa, IKb, . . . IKn previously shared respectively with the output apparatuses 93a to 93n, and distributes the value of a concatenation of respective cipher texts Enc (IKa, CDK), Enc (IKb, CDK), . . . and Enc (IKn, CDK) to the plurality of output apparatuses 93a to 93n as key update information UPDKEY=Enc (IKa, CDK)∥Enc (IKb, CDK)∥ . . . Enc (IKn, CDK). The server 92 receives the content encryption key CEK, while the output apparatus 93a receives the key update information UPDKEY, extracts the cipher text (IKa, CDK) that corresponds to the individual key IKa of its own from the key update information UPDKEY, decrypts the cipher text Enc (IKa, CDK) based on the individual key IKa, and obtains the content decryption key CDK. Note that in the case of the output apparatuses 93b to 93n other than the output apparatus 93a, each of them extracts the cipher text that corresponds to its own individual key from the key update information UPDKEY, decrypts the cipher text, and obtains the content decryption key CDK, in the same manner as the output apparatus 93a. By doing so, the contend decryption key CDK can be shared among all the output apparatuses 93a to 93n. 
Next, the operations in the case where a content is distributed are explained. First, the server 92 receives the content CNT from outside, encrypts the content CNT based on the content encryption key CEK, and distributes the encrypted content ENCCNT=Enc (CEK, CNT) to the plurality of output apparatuses 93a to 93n. The plurality of output apparatuses 93a to 93n which received the encrypted content ENCCNT decrypt the encrypted content ENCCNT based on the content decryption key CDK and output the decrypted content DECCNT to the outside.
Note that the key issuing center 91 can revoke an output apparatus having a specific individual key so that it cannot decrypt a content CNT. Here is an explanation of the case where an output apparatus having the individual key of the output apparatus 93a is revoked. First, the key issuing center 91 receives an output apparatus identifier AIDa for identifying the output apparatus 93a, newly generates a content encryption key CEK and a content decryption key CDK, and transmits the content encryption key CEK to the server 92. After that, it encrypts the content decryption key CDK using each of the individual keys IKb to IKn other than the individual key IKa which is previously shared with the output apparatus 93a that corresponds to the output apparatus identifier AIDa, and distributes, to the plurality of the output apparatuses 93a to 93n, the value of a concatenation of cipher texts Enc (IKb, CDK), . . . and Enc (IKn, CDK) as key update information UPDKEY=Enc (IKb, CDK)∥ . . . Enc (IKn, CDK). Accordingly, the output apparatuses 93b to 93n other than the output apparatus 93a can obtain the content decryption key CDK, and thus can decrypt the encrypted content ENCCNT=Enc (CDK, CNT) properly. However, the output apparatus 93a that corresponds to the output apparatus identifier AIDa cannot obtain the content decryption key CDK so that it cannot decrypt the encrypted content ENCCNT=Enc (CDK, CNT). Note that, also in the case where the output apparatuses 93b to 93n other than the output apparatus 93a are revoked, the similar operations as in the output apparatus 93a are taken, but an individual key to be used for encrypting the content decryption key CDK differs. By doing so, the key issuing center 91 can revoke the output apparatus.
According to such system, even if an attacker obtains, in an unauthorized manner, an individual key embedded in any of the output apparatuses 93a to 93n and creates an output apparatus using the individual key, an output apparatus which is the origin of leakage can be traced from the individual key embedded in the unauthorized output apparatus. Therefore, it is possible to take measures such as a revocation of the output apparatus.
However, the above-mentioned conventional structure has a problem that when the key issuing center updates a content encryption key and a corresponding content decryption key in order to revoke an unauthorized output apparatus having the content decryption key embedded therein, the data size of key update information to be distributed to output apparatuses increases as the number of output apparatuses increases.